Lots more to document here.

Fix things for `$session_management_via = "key"`. Fix using Saml2 in conjunction with two factor authentication.
openwebwork · Oct 3, 2024 · 7944416 · 7944416
1 parent 12b7683
commit 7944416
Show file tree

Hide file tree

Showing 27 changed files with 646 additions and 612 deletions.
diff --git a/conf/authen_saml2.dist.yml b/conf/authen_saml2.dist.yml
@@ -4,117 +4,74 @@
 #
 # To enable the Saml2 plugin, copy authen_saml2.dist.yml to authen_saml2.yml
 #
-# The Saml2 plugin uses the Net::SAML2 library, the library claims to be
+# The Saml2 plugin uses the Net::SAML2 library. The library claims to be
 # compatible with a wide range of SAML2 implementations, including Shibboleth.
 ################################################################################
 
-# add this query to the end of a course url to skip the saml2 authen module
-# and go to the next one, comment out to disable this feature
+# This URL query parameter can be added to the end of a course url to skip the
+# saml2 authen module and go to the next one. Comment out the next line to
+# disable this feature.
 bypass_query: bypassSaml2
-idp: # this is the central SAML2 server
-  # url where we can get the SAML2 metadata xml for the IdP
-  metadata_url: http://idp.docker:8180/simplesaml/module.php/saml/idp/metadata
-sp: # this is the Webwork side
-  # also known as iss (issuer)
+
+# Settings for the central SAML2 server
+idp:
+  # URL that serves the SAML2 metadata xml for the IdP
+  metadata_url: http://idp/simplesaml/module.php/saml/idp/metadata
+
+# Settings for webwork2
+sp:
+  # The entity_id is also known as the iss (issuer).
   entity_id: http://localhost:8080/saml2
-  # endoints created by the plugin, relative to the webwork root url
+
+  # Endpoints used by the plugin. They are all relative to the webwork root url
   route:
-    base: '/saml2' # prefix path for all URLs handled by the plugin
-    metadata: '/metadata' # actual path would be /saml2/metadata
-    # 'Assertion Consumer Service', basically handles the SAML response, plugin
-    # only supports a POST response (HTTP POST Binding)
-    acs:
-      post: '/acs/post'
+    # Path prefix for all URLs handled by the Saml2 plugin.
+    base: /saml2
+    # Metadata path relative to the base route (so the actual path would be
+    # /saml2/metadata if the base route above is /saml2)
+    metadata: metadata
+    # The 'Assertion Consumer Service' route. This route basically handles the
+    # SAML response. The plugin only supports a POST request (HTTP POST
+    # Binding) for this route.
+    acs: acs
+    # Route for error responses from the consumer service.
+    error: error
+
   # Ideally, there would be a way to have separate app info and org info but
   # Net::SAML2's metadata generation doesn't seem to have that separation. So
-  # I've filled out the org info with app info instead.
+  # the org info contains the app info instead.
   org:
-    contact: '[email protected]'
-    name: 'webwork'
-    url: 'https://localhost:8080/'
-    display_name: 'WeBWorK'
-  # list of attributes that can be used as the username, each of them will be
+    contact: [email protected]
+    name: webwork
+    url: https://localhost:8080/
+    display_name: WeBWorK
+
+  # List of attributes that can be used as the username. Each of them will be
   # tried in turn to see if there's a matching user in the classlist. If no
-  # attributes are given, then we'll default to the NameID. Please use the
-  # attribute's OID
+  # attributes are given, then webwork2 will default to the NameID. Please use
+  # the attribute's OID.
   attributes:
-    - 'urn:oid:0.9.2342.19200300.100.1.1'
+    - urn:oid:0.9.2342.19200300.100.1.1
+
   ##############################################################################
   # SECURITY WARNING
-  # For production, you MUST generate your own unique 'cert' and 'signing_key'.
-  # The examples below are publicly exposed and thus provides NO SECURITY.
+  # For production, you MUST provide your own unique 'certificate' and
+  # 'private_key' files.  The files in the default settings below are only
+  # intended to be used in development, and are publicly exposed.  Hence, they
+  # provide NO SECURITY.
   ##############################################################################
-  # Cert and key pairs can be generated using an openssl command such as:
-  #   openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out webwork.crt -keyout webwork.pem
-  # Where webwork.crt contains the cert and webwork.pem contains the signing_key
-  cert: |
-    -----BEGIN CERTIFICATE-----
-    MIIE7zCCA1egAwIBAgIUIteyNYLSAiB0FcNl0GLJNYRppk8wDQYJKoZIhvcNAQEL
-    BQAwgYYxCzAJBgNVBAYTAkFBMQswCQYDVQQIDAJBQTEQMA4GA1UEBwwHRXhhbXBs
-    ZTEQMA4GA1UECgwHRXhhbXBsZTEQMA4GA1UECwwHRXhhbXBsZTEQMA4GA1UEAwwH
-    RXhhbXBsZTEiMCAGCSqGSIb3DQEJARYTZXhhbXBsZUBleGFtcGxlLmVkdTAeFw0y
-    NDA1MDMwMTA2MzNaFw0zNDA1MDMwMTA2MzNaMIGGMQswCQYDVQQGEwJBQTELMAkG
-    A1UECAwCQUExEDAOBgNVBAcMB0V4YW1wbGUxEDAOBgNVBAoMB0V4YW1wbGUxEDAO
-    BgNVBAsMB0V4YW1wbGUxEDAOBgNVBAMMB0V4YW1wbGUxIjAgBgkqhkiG9w0BCQEW
-    E2V4YW1wbGVAZXhhbXBsZS5lZHUwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGK
-    AoIBgQC45DCHUejzAeq+eVwEX5zSQWC+kqydEmoxpydT4YiSXnNeoNAkilKfHGOY
-    Uc4djwx148N14A+S0GCys2j3Ey2wuL7DSep5y1Z9Uxj6Ayg23XGIFFFJJLMy1Qfe
-    pjCcr1djPH9PpwglG1nTsiWqvHGGc3WWn1u6RfyrCf+jxbhygNRTA+LVPpqNvko6
-    MWKsbVLKrYMV2kPcQ0PQByNHJnjBy3KH2k99lS20h32sgHbgbVpJWdAWjeyJrOh9
-    aDt4/AfK90BvhkjF4BuQ+Jw5oIwMhbx7YmzIfiJmBLLaGjVRppuoAQtLX9uLst9l
-    aLZzaeutg+G3RUYcvDMlnP7cU8Sq4BD7uK0ChKxxCMFcihAhQ8wqCKncaaE9WqPs
-    CM16SB/6xptOxoLcg/5q3PJyUi2g4VDKXuQc6AURKIJxSM9nlrcv/R7fCFgk3Nj/
-    piWykDk6/BDWFpEHaj+NnFE9ZIxKr9CjTxdmqiDTyqSv50rNCjleyL/iASBTSCCF
-    OPVOYQECAwEAAaNTMFEwHQYDVR0OBBYEFGs8F3VIGSEk+DE2MBqqNKX6UuZTMB8G
-    A1UdIwQYMBaAFGs8F3VIGSEk+DE2MBqqNKX6UuZTMA8GA1UdEwEB/wQFMAMBAf8w
-    DQYJKoZIhvcNAQELBQADggGBAIpDktpfGH7ZqgdWvxbJrjekb1IyCGrWsHOYSjwM
-    +MxnhAA6oY63wC04a2i31zIMNOkY9F0tAdd4uDchxA9IWHqpb7t7zBlZdDabPPC3
-    WoDYnKhtZBULVVo7AvWO0UJGfZNJE393aKer3ePvfoG0OpCyrw4eFI/GCd4UjJBF
-    DnD7hvUxE7RRwOhbuYrtDRuB3Z7CeeP8o81eDVexyuBpM/9UQjYPqBBAfoeYKQzu
-    ZIhpGRWXw0ntH+EEOWagRXA5pRru61hteParZe4LBjPqisqN4Ek6ZR7MD9gB5xnt
-    Pn1BKRY08quFOZyaogzwfkYk5SCF8F8jBA8ZNAYwJWe1gtO3iw5vpUaQc2iCabvI
-    Y+Pc6qsSNwbkl7+sFrVHzI9QZVyz1cARUXxvrgGNLBkYtprkG91k6mCjX90cQspb
-    ZwHixcQyCNv+4H738e99h/Wf0YzjxFjDKrbGoosYBzWAsYYtzrtsBvw3SJMTXIh7
-    OvFMA+rbIL8XWs8oNmZDDh8g0A==
-    -----END CERTIFICATE-----
-  signing_key: |
-    -----BEGIN PRIVATE KEY-----
-    MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQC45DCHUejzAeq+
-    eVwEX5zSQWC+kqydEmoxpydT4YiSXnNeoNAkilKfHGOYUc4djwx148N14A+S0GCy
-    s2j3Ey2wuL7DSep5y1Z9Uxj6Ayg23XGIFFFJJLMy1QfepjCcr1djPH9PpwglG1nT
-    siWqvHGGc3WWn1u6RfyrCf+jxbhygNRTA+LVPpqNvko6MWKsbVLKrYMV2kPcQ0PQ
-    ByNHJnjBy3KH2k99lS20h32sgHbgbVpJWdAWjeyJrOh9aDt4/AfK90BvhkjF4BuQ
-    +Jw5oIwMhbx7YmzIfiJmBLLaGjVRppuoAQtLX9uLst9laLZzaeutg+G3RUYcvDMl
-    nP7cU8Sq4BD7uK0ChKxxCMFcihAhQ8wqCKncaaE9WqPsCM16SB/6xptOxoLcg/5q
-    3PJyUi2g4VDKXuQc6AURKIJxSM9nlrcv/R7fCFgk3Nj/piWykDk6/BDWFpEHaj+N
-    nFE9ZIxKr9CjTxdmqiDTyqSv50rNCjleyL/iASBTSCCFOPVOYQECAwEAAQKCAYAR
-    p6iCo22tFrfFrGz+9epRoXCNgg/9h66gQyfcOKMD5wT5Oj3l31d4XgucleMqq2gz
-    MaaOcPDLwh4ZskwJm8k3IM0GdN5w9tuxZ+fwp7CFXKvkpJwGcfyyk+kGd7QYoh2k
-    GjjF8Fs0v+HZ9x7lqMzmW8wUr+7gYKJ56qCAkPbF6EteCfb1Cd9UPaF04RZdBKtt
-    MxhbU9Y7CClHigbyWlgZmUW8dzoz8bTFklKL0FCJqad/bZYTMUYu91XT88oKCXbD
-    AUxpF2Ikbkfj820XOqq8iV3xGpYszt1aMRpsdXbDAhCqfKoNet2X7jnRWlNXZutC
-    RIUGm4VUNDNeD4nXW8aLgDa8bNQnvsSmM9DUVuPjbejUs0VN7uwxo8rYqvkAKiBQ
-    1ZqxoBK4ShZVcqgWE6CUj9FRZ3CVzSzydxZSQzex/ZRYPuYLUhQJFHLVIdJSYhf3
-    XTEki0+ndwAB7yP/tBNlcxLftCzAaS7mPLLn1tf0A27QPCSjwOsTLxuJ4WYVkmkC
-    gcEAuuh8EImBfE9WOg3ITmJpr95WlVi8WE6BHWowV8dQwODQLj+38itDDL1xLn9+
-    Vuz4o9AaIBiH5fCr6otun28lVp/sNVdWnBVeioSpu3tGV18OiDNaXtXOo7qkUnBI
-    Z+V7cD69gJLS6byD3OXlGi42h3XxK4mVlhwQtkQ69qI/zhl6rc0O2/iXXUAFa5T5
-    MJ84Cw1B9kHFB/NC27sraee+cwAK0Pogj5WnqaBOIPeIO/f+br65xMUvEYvDD1m4
-    TwIzAoHBAP082l0IQ5KHBY4WuFIDOoevO5SxHN5EUp2sPRDZwZxwOrjHxFRXPc/h
-    pDrVEHEn/4HQ706AHYpED0diumr4gee7gusNIDcGpXwjGVdFmFvxKoDbhz1C5vL3
-    xC7qgyS/ZtAopxpCPH3+7IrQyBk8e6He+8F97bA0e9sYSBQSuPLcdKQXGNbLYb6s
-    yLbP02cB2CNeI1GJMQIOXe9bi9Cz5w+hCGMvEKt5oAz5SLWlPBvv1YATpG5Ux8Wy
-    RbGPD4zj+wKBwBGVDx6rIMAl4nGhnEcrYM/HdZOk/kq8T88JjzSirkkGnO7M1av1
-    P+Bx7bS3D5Zzwkv+poaAaEBMLI/qv+RFm1iTwK+f4KjcJcGYCzN0vEA50+8iDY1A
-    RakHRK/wmg8T+lGrxT3UEf0k266q/atBz6VchexXi/fL+hJ7RqSuzJvBr9WrpYsx
-    zmNaQ2hEYlCdmbMIcz0MINHHo3FyIPpcb4D37wyLiwaWyGffiZn2Tx19DbUzQdxt
-    xCi9YgMOqJTeGwKBwQD4rJ0x5j+U0ApgcWcnAgyj2SwE47eZfDY0p0KAHZXGbV78
-    vQ7KU7FbRhTjwP6YX9LEQ8v7pktbz2HBk+3DxayrRrNU5lrQLjKrKDxmOu1WvAgk
-    6W5wdhYcWbnI6HlHyLzJhGIzov+MKp1V45fbUE2Hs1Q9uc+CzMcja0C8lXYQ5vOT
-    fyrhIm8lsr6W5paN/H2mnXbJRpNdlYYg2iD+HOu1qUh3PWx9Nr44f0MrPMs+E9Hw
-    J1m9DnvuYxWVOwrmK6kCgcADfcatftIJWMqeYJsDnB9jJaANmjln2G3bppo9WcIC
-    lvfXFE+Rf3FleaijVrUFbgxDU2MHh/2VPjJgIQT3QtfqS5+OnF1Z5+uOTGwbDNmT
-    3Th0IcSt6TjvLJwkanNeSkvc+2lMnuNtH6TQLXB0qEs3D7xND0kFWHfyies+RYNC
-    eualoZJ/6UL9X2gkPG5jmzXjInEBguAL0ll5yETXgx6v0hXR058TcvPl58j73cCQ
-    dzDq+xUD8nHpKM33A2EaUFY=
-    -----END PRIVATE KEY-----
+  # You will usually need to use the certificate and private key provided by the
+  # maintainers of your identity provider instance. However, if you are
+  # maintaining your own identity provide instance a certificate and private key
+  # can be generated using openssl.  For example,
+  #   openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem
+  # The files saml.crt and saml.pem that are generated contain the public
+  # "certificate" and the "private_key", respectively.
+  # Place the certificates in a secure location and set certificate_file and
+  # private_key_file to the location of those files.  Note that if the files are
+  # placed within the root webwork2 app directory, then the paths may be given
+  # relative to the the root webwork2 app directory. Otherwise the absolute path
+  # must be given. Make sure that the webwork2 app has read permissions for
+  # those files.
+  certificate_file: docker-config/idp/certs/saml.crt
+  private_key_file: docker-config/idp/certs/saml.pem
diff --git a/docker-config/docker-compose.dist.yml b/docker-config/docker-compose.dist.yml
@@ -251,7 +251,7 @@ services:
     #ports:
     #  - "6311:6311"
 
-  # saml2 dev use only, separate profile from the other services so it doesn't
+  # Saml2 development use only. This is a separate profile from the other services so it doesn't
   # start in normal usage. Use "docker compose --profile saml2dev up" to start.
   idp:
     build:
@@ -261,37 +261,16 @@ services:
     ports:
       - '8180:80'
     environment:
-      SP_METADATA_URL: 'http://app.docker:8080/saml2/metadata'
-    # the healthcheck url is simplesamlphp's url for triggering cron jobs, the
-    # cron job it'll trigger is to automatically grab webwork sp's metadata
+      SP_METADATA_URL: 'http://app:8080/saml2/metadata'
+    # The healthcheck url is simplesamlphp's url for triggering cron jobs. The
+    # cron job it will trigger will automatically grab webwork sp's metadata.
     healthcheck:
-      test: ['CMD', 'curl', '-f', 'http://localhost/simplesaml/module.php/cron/run/docker/healthcheck']
+      test: ['CMD', 'curl', '-f', 'http://localhost/simplesaml/module.php/cron/run/metarefresh/webwork2']
       start_period: 1m
       start_interval: 15s
       interval: 1h
       retries: 1
       timeout: 10s
-  # Send internal docker traffic for the idp external port to the idp internal
-  # port. Needed so the webwork saml2 plugin can request the idp metadata.
-  socat-idp:
-    image: alpine/socat:1.8.0.0
-    profiles:
-      - saml2dev
-    command: 'TCP-LISTEN:8180,fork,reuseaddr TCP:idp:80'
-    networks:
-      default:
-        aliases:
-          - idp.docker
-  # same port redirect so the idp can get the webwork saml2 plugin metadata
-  socat-app:
-    image: alpine/socat:1.8.0.0
-    profiles:
-      - saml2dev
-    command: 'TCP-LISTEN:8080,fork,reuseaddr TCP:app:8080'
-    networks:
-      default:
-        aliases:
-          - app.docker
 
 volumes:
   oplVolume:

diff --git a/docker-config/idp/Dockerfile b/docker-config/idp/Dockerfile
@@ -1,36 +1,38 @@
-# actual image we'll run in the end
 FROM php:8.3-apache
 WORKDIR /var/www
 
-# Install composer & php extension installer
+# Install composer and the php extension installer.
 COPY --from=composer/composer:2-bin /composer /usr/bin/composer
 COPY --from=mlocati/php-extension-installer /usr/bin/install-php-extensions /usr/local/bin/
 
 RUN apt-get update && \
 	apt-get -y install git curl vim && \
 	install-php-extensions ldap zip
 
-# dirs used by simplesamlphp needs to be accessible by apache user
+# Directories used by simplesamlphp.  These need to be accessible by the apache2 user.
 RUN mkdir simplesamlphp/ /var/cache/simplesamlphp
-RUN chown www-data. simplesamlphp/ /var/cache/simplesamlphp
-# Composer doesn't like to be root, so we'll run the rest as the apache user
+RUN chown www-data simplesamlphp/ /var/cache/simplesamlphp
+
+COPY ./idp.apache2.conf /etc/apache2/conf-available
+RUN a2enconf idp.apache2
+
+# Composer doesn't like to be root, so run the rest as the apache user.
 USER www-data
 
 # Install simplesamlphp
-ARG SIMPLESAMLPHP_TAG=v2.2.1
-RUN git clone --branch $SIMPLESAMLPHP_TAG https://github.com/simplesamlphp/simplesamlphp.git
+RUN git clone --branch v2.2.1 https://github.com/simplesamlphp/simplesamlphp.git
 WORKDIR /var/www/simplesamlphp
 
-# Generate certs
+# Generate the server certificates.
 RUN cd cert/ && \
-	openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out server.crt -keyout server.pem -subj "/C=CA/SP=BC/L=Vancouver/O=UBC/CN=idp.docker"
+	openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out server.crt -keyout server.pem \
+		-subj "/C=US/S=New York/L=Rochester/O=WeBWorK/CN=idp.webwork2"
 
-# Use composer to install dependencies
+# Use composer to install dependencies.
 RUN composer install && \
 	composer require simplesamlphp/simplesamlphp-module-metarefresh
 
-# Copy config files
+# Copy configuration files.
 COPY ./config/ config/
 COPY ./metadata/ metadata/
 
-COPY ./apache.conf /etc/apache2/sites-available/000-default.conf
diff --git a/docker-config/idp/apache.conf b/docker-config/idp/apache.conf
diff --git a/docker-config/idp/certs/saml.crt b/docker-config/idp/certs/saml.crt
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE7zCCA1egAwIBAgIUIteyNYLSAiB0FcNl0GLJNYRppk8wDQYJKoZIhvcNAQEL
+BQAwgYYxCzAJBgNVBAYTAkFBMQswCQYDVQQIDAJBQTEQMA4GA1UEBwwHRXhhbXBs
+ZTEQMA4GA1UECgwHRXhhbXBsZTEQMA4GA1UECwwHRXhhbXBsZTEQMA4GA1UEAwwH
+RXhhbXBsZTEiMCAGCSqGSIb3DQEJARYTZXhhbXBsZUBleGFtcGxlLmVkdTAeFw0y
+NDA1MDMwMTA2MzNaFw0zNDA1MDMwMTA2MzNaMIGGMQswCQYDVQQGEwJBQTELMAkG
+A1UECAwCQUExEDAOBgNVBAcMB0V4YW1wbGUxEDAOBgNVBAoMB0V4YW1wbGUxEDAO
+BgNVBAsMB0V4YW1wbGUxEDAOBgNVBAMMB0V4YW1wbGUxIjAgBgkqhkiG9w0BCQEW
+E2V4YW1wbGVAZXhhbXBsZS5lZHUwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGK
+AoIBgQC45DCHUejzAeq+eVwEX5zSQWC+kqydEmoxpydT4YiSXnNeoNAkilKfHGOY
+Uc4djwx148N14A+S0GCys2j3Ey2wuL7DSep5y1Z9Uxj6Ayg23XGIFFFJJLMy1Qfe
+pjCcr1djPH9PpwglG1nTsiWqvHGGc3WWn1u6RfyrCf+jxbhygNRTA+LVPpqNvko6
+MWKsbVLKrYMV2kPcQ0PQByNHJnjBy3KH2k99lS20h32sgHbgbVpJWdAWjeyJrOh9
+aDt4/AfK90BvhkjF4BuQ+Jw5oIwMhbx7YmzIfiJmBLLaGjVRppuoAQtLX9uLst9l
+aLZzaeutg+G3RUYcvDMlnP7cU8Sq4BD7uK0ChKxxCMFcihAhQ8wqCKncaaE9WqPs
+CM16SB/6xptOxoLcg/5q3PJyUi2g4VDKXuQc6AURKIJxSM9nlrcv/R7fCFgk3Nj/
+piWykDk6/BDWFpEHaj+NnFE9ZIxKr9CjTxdmqiDTyqSv50rNCjleyL/iASBTSCCF
+OPVOYQECAwEAAaNTMFEwHQYDVR0OBBYEFGs8F3VIGSEk+DE2MBqqNKX6UuZTMB8G
+A1UdIwQYMBaAFGs8F3VIGSEk+DE2MBqqNKX6UuZTMA8GA1UdEwEB/wQFMAMBAf8w
+DQYJKoZIhvcNAQELBQADggGBAIpDktpfGH7ZqgdWvxbJrjekb1IyCGrWsHOYSjwM
++MxnhAA6oY63wC04a2i31zIMNOkY9F0tAdd4uDchxA9IWHqpb7t7zBlZdDabPPC3
+WoDYnKhtZBULVVo7AvWO0UJGfZNJE393aKer3ePvfoG0OpCyrw4eFI/GCd4UjJBF
+DnD7hvUxE7RRwOhbuYrtDRuB3Z7CeeP8o81eDVexyuBpM/9UQjYPqBBAfoeYKQzu
+ZIhpGRWXw0ntH+EEOWagRXA5pRru61hteParZe4LBjPqisqN4Ek6ZR7MD9gB5xnt
+Pn1BKRY08quFOZyaogzwfkYk5SCF8F8jBA8ZNAYwJWe1gtO3iw5vpUaQc2iCabvI
+Y+Pc6qsSNwbkl7+sFrVHzI9QZVyz1cARUXxvrgGNLBkYtprkG91k6mCjX90cQspb
+ZwHixcQyCNv+4H738e99h/Wf0YzjxFjDKrbGoosYBzWAsYYtzrtsBvw3SJMTXIh7
+OvFMA+rbIL8XWs8oNmZDDh8g0A==
+-----END CERTIFICATE-----
diff --git a/docker-config/idp/certs/saml.pem b/docker-config/idp/certs/saml.pem
@@ -0,0 +1,40 @@
+-----BEGIN PRIVATE KEY-----
+MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQC45DCHUejzAeq+
+eVwEX5zSQWC+kqydEmoxpydT4YiSXnNeoNAkilKfHGOYUc4djwx148N14A+S0GCy
+s2j3Ey2wuL7DSep5y1Z9Uxj6Ayg23XGIFFFJJLMy1QfepjCcr1djPH9PpwglG1nT
+siWqvHGGc3WWn1u6RfyrCf+jxbhygNRTA+LVPpqNvko6MWKsbVLKrYMV2kPcQ0PQ
+ByNHJnjBy3KH2k99lS20h32sgHbgbVpJWdAWjeyJrOh9aDt4/AfK90BvhkjF4BuQ
++Jw5oIwMhbx7YmzIfiJmBLLaGjVRppuoAQtLX9uLst9laLZzaeutg+G3RUYcvDMl
+nP7cU8Sq4BD7uK0ChKxxCMFcihAhQ8wqCKncaaE9WqPsCM16SB/6xptOxoLcg/5q
+3PJyUi2g4VDKXuQc6AURKIJxSM9nlrcv/R7fCFgk3Nj/piWykDk6/BDWFpEHaj+N
+nFE9ZIxKr9CjTxdmqiDTyqSv50rNCjleyL/iASBTSCCFOPVOYQECAwEAAQKCAYAR
+p6iCo22tFrfFrGz+9epRoXCNgg/9h66gQyfcOKMD5wT5Oj3l31d4XgucleMqq2gz
+MaaOcPDLwh4ZskwJm8k3IM0GdN5w9tuxZ+fwp7CFXKvkpJwGcfyyk+kGd7QYoh2k
+GjjF8Fs0v+HZ9x7lqMzmW8wUr+7gYKJ56qCAkPbF6EteCfb1Cd9UPaF04RZdBKtt
+MxhbU9Y7CClHigbyWlgZmUW8dzoz8bTFklKL0FCJqad/bZYTMUYu91XT88oKCXbD
+AUxpF2Ikbkfj820XOqq8iV3xGpYszt1aMRpsdXbDAhCqfKoNet2X7jnRWlNXZutC
+RIUGm4VUNDNeD4nXW8aLgDa8bNQnvsSmM9DUVuPjbejUs0VN7uwxo8rYqvkAKiBQ
+1ZqxoBK4ShZVcqgWE6CUj9FRZ3CVzSzydxZSQzex/ZRYPuYLUhQJFHLVIdJSYhf3
+XTEki0+ndwAB7yP/tBNlcxLftCzAaS7mPLLn1tf0A27QPCSjwOsTLxuJ4WYVkmkC
+gcEAuuh8EImBfE9WOg3ITmJpr95WlVi8WE6BHWowV8dQwODQLj+38itDDL1xLn9+
+Vuz4o9AaIBiH5fCr6otun28lVp/sNVdWnBVeioSpu3tGV18OiDNaXtXOo7qkUnBI
+Z+V7cD69gJLS6byD3OXlGi42h3XxK4mVlhwQtkQ69qI/zhl6rc0O2/iXXUAFa5T5
+MJ84Cw1B9kHFB/NC27sraee+cwAK0Pogj5WnqaBOIPeIO/f+br65xMUvEYvDD1m4
+TwIzAoHBAP082l0IQ5KHBY4WuFIDOoevO5SxHN5EUp2sPRDZwZxwOrjHxFRXPc/h
+pDrVEHEn/4HQ706AHYpED0diumr4gee7gusNIDcGpXwjGVdFmFvxKoDbhz1C5vL3
+xC7qgyS/ZtAopxpCPH3+7IrQyBk8e6He+8F97bA0e9sYSBQSuPLcdKQXGNbLYb6s
+yLbP02cB2CNeI1GJMQIOXe9bi9Cz5w+hCGMvEKt5oAz5SLWlPBvv1YATpG5Ux8Wy
+RbGPD4zj+wKBwBGVDx6rIMAl4nGhnEcrYM/HdZOk/kq8T88JjzSirkkGnO7M1av1
+P+Bx7bS3D5Zzwkv+poaAaEBMLI/qv+RFm1iTwK+f4KjcJcGYCzN0vEA50+8iDY1A
+RakHRK/wmg8T+lGrxT3UEf0k266q/atBz6VchexXi/fL+hJ7RqSuzJvBr9WrpYsx
+zmNaQ2hEYlCdmbMIcz0MINHHo3FyIPpcb4D37wyLiwaWyGffiZn2Tx19DbUzQdxt
+xCi9YgMOqJTeGwKBwQD4rJ0x5j+U0ApgcWcnAgyj2SwE47eZfDY0p0KAHZXGbV78
+vQ7KU7FbRhTjwP6YX9LEQ8v7pktbz2HBk+3DxayrRrNU5lrQLjKrKDxmOu1WvAgk
+6W5wdhYcWbnI6HlHyLzJhGIzov+MKp1V45fbUE2Hs1Q9uc+CzMcja0C8lXYQ5vOT
+fyrhIm8lsr6W5paN/H2mnXbJRpNdlYYg2iD+HOu1qUh3PWx9Nr44f0MrPMs+E9Hw
+J1m9DnvuYxWVOwrmK6kCgcADfcatftIJWMqeYJsDnB9jJaANmjln2G3bppo9WcIC
+lvfXFE+Rf3FleaijVrUFbgxDU2MHh/2VPjJgIQT3QtfqS5+OnF1Z5+uOTGwbDNmT
+3Th0IcSt6TjvLJwkanNeSkvc+2lMnuNtH6TQLXB0qEs3D7xND0kFWHfyies+RYNC
+eualoZJ/6UL9X2gkPG5jmzXjInEBguAL0ll5yETXgx6v0hXR058TcvPl58j73cCQ
+dzDq+xUD8nHpKM33A2EaUFY=
+-----END PRIVATE KEY-----
diff --git a/docker-config/idp/config/authsources.php b/docker-config/idp/config/authsources.php
@@ -67,7 +67,6 @@
 	//    */
 	//],
 
-
 	/*
 	'example-sql' => [
 		'sqlauth:SQL',
-Original file line number
+Diff line change
@@ Expand Up / @@ -67,7 +67,6 @@ @@
     	//    */
     	//],
     	/*
     	'example-sql' => [
     		'sqlauth:SQL',
@@ Expand Down @@